Snort mailing list archives

Re: SMTP rule needed

From: Paul.Simons () ihsenergy com
Date: Tue, 9 Apr 2002 14:57:22 -0600


Would this catch traffic going to 'hotmail' as well?
Thanks anyway it seems to work
Paul
--------------------------------------------------------------------------------------------




                                                                                                                        
              
                    Matt Kettler                                                                                        
              
                    <mkettler () evi-inc com>              To:     Paul.Simons () ihsenergy com, snort-users () lists 
sourceforge net          
                    Sent by:                            cc:                                                             
              
                    snort-users-admin@lists.sourc       Subject:     Re: [Snort-users] SMTP rule needed                 
              
                    eforge.net                                                                                          
              
                                                                                                                        
              
                                                                                                                        
              
                    09-04-2002 13:57                                                                                    
              
                                                                                                                        
              
                                                                                                                        
              




how's this look (quick hack)?

alert tcp any any -> any 25 (msg:"smtp - mycompany.com";
content:"mycompany.com"; flags: A+; nocase; classtype:misc-activity;)

and for pop3:

alert tcp any 110 -> any any (msg:"pop3 - mycompany.com";
content:"mycompany.com"; flags: A+; nocase; classtype:misc-activity;)


At 12:36 PM 4/9/2002 -0600, Paul.Simons () ihsenergy com wrote:

How can I write a rule to flag when someone inside sends (or receives) and
email (SMTP) with 'mycompany.com' in the message body?
I have tried but I can't seem to get the syntax right.
Paul


_______________________________________________________________

Sponsored by:
Looking for hip toys and fun scwag.  There is no better place
then the good friends at ThinkGeek. http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

SMTP rule needed Paul . Simons (Apr 09)
- Re: SMTP rule needed Matt Kettler (Apr 09)
- <Possible follow-ups>
- Re: SMTP rule needed Paul . Simons (Apr 09)
- Re: SMTP rule needed Andreu . Gomez (Apr 10)
- RE: SMTP rule needed Wirth, Jeff (Apr 10)